This explains the sudden release of last week’s firmware updates. Sounds like another serious SSL VPN vulnerability.
God damn, I just upgraded all my customers to 7.0.11 over the last couple of weeks, time to do it all over again. Would love to not have to work every weekend over summer because of this shit.
PSIRT: PSIRT | FortiGuard Labs
Have they publicized IoC’s yet?
Correct. Advanced notifications went out several weeks ago. Firmware released last week. Public disclosure tomorrow.
This is a relatively improved process from Fortinet… there is no right way to balance the confidentiality/urgency aspect needed to fix such vulnerabilities in public facing services… but making the (as of yet not in the wild) vulnerability public after people have had the chance to patch or be notified that they should patch, is a step in the right direction.
Oh shit, here we go again
PSIRT is out: https://www.fortiguard.com/psirt/FG-IR-22-377
Blog article: https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign
anyone else here use fortimanager? the problem i’ve encountered in the past with these emergency fortios releases is they dont release an updated version of fortimanager that supports it. so i have to choose between fixing a security hole and being able to manage my devices.
Our implementation of this update on a pair of 300D’s to 6.4.13 = reverts the GEO database to 2019. I think it’s an oops on the build, emphasis on ‘think’ but how else would our GEO DB go back four years if not via 6.4.12->6.4.13 this morning.
So, beware if you’re GEO-blocking … our experience was sites behind akamai-edge went from being in the US to being in Poland. (insert jokes here!)
Does anyone know why they wait to release the info and cve? Leave us hanging for a week?
Soooo glad we don’t use sslvpn on our Fortigates.
At this rate with all these vulnerabilities each year. When it’s time to renew our firewalls I’m curious to see what direction we will go in.
I’m sure Palo’s will be the main topic of discussion.
I still haven’t seen an official PSIRT from Fortinet about affected devices, firmware versions and etc.
Oh no its cool, Fortinet. Its cool. I didn’t like having a life outside of work anyways. Really appreciate that email at 5:54PM as I was wrapping up for work. I mean I saw it coming, but still.
7.0.12 also has a bug on some platforms that results in device not booting due to the new integrity checks for system files.
Is device vulnerable if SSL-VPN is terminated on loopback and only white listed IPs are allowed?
Updated to 7.2.5 from 7.2.4 HA 200f
Went into conservative mode after 18 hours and crashed and rebooted 
Can anyone confirm if this attack can be mitigated by setting allowed hosts or countries on the SSL configuration?
We went back to IPSEC based VPNs months ago. Glad we did.
Sorry to hear that. Did you have to jump multiple versions before? Upgrade from 7.0.11 to 7.0.12 should be smoother.
For patch update like these, would you trust an auto-upgrade proceas where the FortiGate would just upgrade itself without you touching it?
On the bright side, sounds like AI cant replace you yet 